ClawHub

Polymarket Oracle

Security checks across malware telemetry and agentic risk

Overview

This looks like a real Polymarket scanner/trading skill, but its setup guidance repeatedly risks exposing a wallet private key that the runtime does not appear to need.

Install only after reviewing the credential guidance carefully. Do not put WALLET_PRIVATE_KEY in the runtime environment, systemd unit, shell profile, or server credential file; generate Polymarket API credentials locally and run the bot only with revocable API credentials and a small dedicated wallet. Treat Telegram alerts as third-party disclosure of trading signals, and do not rely on unattended live trading claims until the execution and risk-control behavior are corrected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises significant capabilities involving environment secrets, network access, and implied file output, yet it does not declare explicit permissions in a dedicated permissions model. That creates a transparency and policy-enforcement gap: users and hosting platforms may not fully understand or constrain what the skill can access, especially given it handles financial credentials and can transmit data externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The described purpose focuses on market scanning and trading, but the skill also includes external Telegram messaging, continuous monitoring/notification behavior, and workspace logging. In a real-money trading context, undisclosed side effects are dangerous because they can leak sensitive trading activity, strategy data, or operational metadata, and they expand the attack surface beyond what a user may reasonably expect.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document explicitly claims the bot only needs API credentials at runtime, then later instructs users to export and persist a wallet private key on the server. That contradiction materially increases the chance operators will place a non-revocable signing secret on a host that may be exposed, giving an attacker full control of wallet funds rather than limited trading-only access.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The code reads a wallet private key from the environment even though no wallet-signing or execution path in this file requires it. Unnecessary access to highly sensitive credentials increases blast radius: if the process, logs, dependencies, or future code paths are compromised, an otherwise unneeded secret is exposed for no operational reason.

Missing User Warnings

High
Confidence
99% confidence
Finding
This section tells users to export WALLET_PRIVATE_KEY and then make it permanent in ~/.bashrc or ~/.zshrc, directly contradicting earlier warnings not to store it long-term. Persisting a blockchain private key in shell startup files exposes it to local compromise, backups, dotfile syncing, process/environment leakage, and accidental disclosure, enabling irreversible theft of wallet assets.

Missing User Warnings

High
Confidence
99% confidence
Finding
The systemd example embeds the wallet private key and other secrets directly in the unit file, which is commonly readable by privileged operators, may be checked into config management, and is often exposed via process inspection or service management workflows. Including the wallet private key here is especially dangerous because compromise grants full wallet control and cannot be safely rotated like an API key.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README tells users to export highly sensitive credentials, including a wallet private key, directly into shell environment variables without any prominent warning about shell history, process exposure, shared-session leakage, or safer secret-storage practices. In the context of an automated trading bot that can move funds, exposed credentials could allow unauthorized trading or direct theft of assets, making this more dangerous than ordinary API-key handling guidance.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The guide instructs users to place API keys, wallet private keys, and bot tokens directly in the systemd unit file. Unit files are often more broadly readable to privileged operators, may be captured in backups or support bundles, and normalize unsafe secret handling before the document later mentions a safer alternative. Because this skill operates a trading bot with wallet credentials, exposure could lead to account compromise and theft of funds.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill sends opportunity summaries to Telegram, a third-party service, whenever bot credentials are configured. Even though the transmitted data is market-derived rather than a secret itself, it can reveal trading strategy, targets, and timing, which may expose proprietary behavior or operational intent to an external platform and anyone with access to the chat.

External Transmission

Medium
Category
Data Exfiltration
Content
- "https://clob.polymarket.com/*"
        - "https://gamma-api.polymarket.com/*"
        - "wss://ws-subscriptions-clob.polymarket.com/*"
        - "https://api.telegram.org/bot*"
      requires_credentials: true
      uses_websocket: true
    security_level: "L3 - Financial Execution (Real Money)"
Confidence
87% confidence
Finding
https://api.telegram.org/

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal